Rotation turns a static signal into a moving target. Here's how TreeChain's GlyphRotor lowers detectability, drains attacker ROI, and keeps provenance intact—all while ChaCha20-Poly1305 guards the crown jewels.
Introduction
Traditional ciphertext has a tell: it looks like ciphertext—base64 or hex blocks that never change appearance. That's a beacon for scrapers, DLP, and model trainers. TreeChain replaces that beacon with a moving veil—glyph representations that rotate on a schedule.
This deep dive explains how the GlyphRotor works and why rotation matters even when your core encryption remains ChaCha20-Poly1305. Inspired by the Enigma machine's rotating substitution mechanism, each byte position encounters a different substitution table.
The Problem: Static Signal = Easy Targeting
- Classifier friendly: Base64 and hex signatures are trivial to spot at scale
- Correlation rich: Identical ciphertext representations persist across time and systems
- Scraper ROI: Once tagged, blobs are hoarded "for later" even without decryption
Static appearance is free telemetry for adversaries. Rotation removes the free lunch.
GlyphRotor Basics
The rotor maps ciphertext bytes to a curated set of 133,387 Unicode glyphs across 8 emotional palettes (the Philosopher Series). Mappings are scoped by tenant and epoch, then signed into the object's provenance envelope.
Lifecycle
- Encrypt: ChaCha20-Poly1305 → ciphertext + authentication tag
- Camouflage: Map bytes → glyphs using active mapping
M(tenant, epoch) - Envelope: Attach
{tenant, rotorEpoch, consent, purpose, signature} - Verify/Decrypt: Verify envelope → decode glyphs with
M→ ChaCha20 decrypt
M, you still need two independent 256-bit keys to break the encryption.Security Effects of Rotation
Detectability ↓
Heuristics tuned to base64/hex fail; glyph sets look like ordinary multilingual text. As mappings rotate, learned fingerprints decay.
Correlation ↓
The same ciphertext encodes to different glyph strings across epochs—frustrating long-term linkage attempts.
Scraping ROI ↓
Stale mapping snapshots lose value quickly. Attackers must re-learn constantly while encryption still gates the crown jewels.
Forensics ↑
rotorEpoch in the envelope anchors investigations without exposing payloads. Full audit trail preserved.
Policy & Epochs
Rotation policy balances freshness with operational stability. Defaults: short epochs (5–60 minutes) and per-tenant schedules. High-risk tenants choose faster rotations; batch jobs align epochs with job boundaries.
- Per-tenant diversity: Different mappings across tenants limit cross-customer correlation
- Grace windows: Read paths accept current + previous epoch to avoid flapping during changeover
- Backfill: Old glyphs remain decodable via recorded epoch in the envelope
- Position-dependent: Each byte position uses a different substitution table derived from seed
Ops & Observability
- Log
rotorEpochwith object IDs to aid incident response - Expose a lightweight
/rotor/statusendpoint for monitoring current mapping IDs (no secrets) - Alert if decode requests reference epochs outside retention (possible tamper or clock skew)
Metrics to watch: detectability rate, glyph decode error rate, decrypt success rate, epoch skew.
Threat Scenarios
1) Mapping Snapshot Leak
Attacker obtains M(tenant, epoch). Impact: short-lived ability to re-render glyphs to ciphertext bytes, but still no encryption keys → no plaintext. Rotation limits the window.
2) Bulk Scraping & Model Training
Heuristics tuned to base64/hex miss glyph strings. Even if detected, cross-epoch correlation collapses; envelopes assert "no-train" in machine-readable form.
3) Insider Pattern Hunt
Log searches for "encrypted-looking data" return less. Access must rely on verified envelopes, not naive entropy flags.
FAQs
What happens if an attacker leaks a mapping snapshot?
They gain short-lived ability to convert glyphs to ciphertext bytes, but still need two independent 256-bit keys to decrypt. Rotation limits the window of usefulness.
How often should mappings rotate?
Defaults are 5–60 minute epochs with per-tenant schedules. High-risk tenants choose faster rotations; batch jobs align with job boundaries.
Does rotation break decryption of old data?
No. The rotorEpoch is stored in the provenance envelope. Old glyphs remain decodable via the recorded epoch.
Does mapping knowledge enable decryption?
No. Mapping only converts glyphs to ciphertext bytes. You still need two independent 256-bit keys (ChaCha20-Poly1305 + glyph key) to reach plaintext.
Take the Break This Challenge
Prove you can crack TreeChain encryption and claim the 100,000 TREE bounty.
See the Cryptographic Proofs
NIST-based statistical tests running against live production servers.